CISA Certified Information Systems Auditor – Question2773

Which of the following is the MOST important IS audit consideration when an organization outsources a customer credit review system to a third-party service provider? The provider:

A.
meets or exceeds industry security standards.
B. agrees to be subject to external security reviews.
C. has a good market reputation for service and experience.
D. complies with security policies of the organization.

Correct Answer: B

Explanation:

Explanation:
It is critical that an independent security review of an outsourcing vendor be obtained because customer credit information will be kept there. Compliance with security standards or organization policies is important, but there is no way to verify or prove that that is the case without an independent review. Though long experience in business and good reputation is an important factor to assess service quality, the business cannot outsource to a provider whose security control is weak.